The present invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for processing the issuance of a public key certificate proving the validity of a public key used by an electronic delivery system in transmitting encrypted data. More particularly, the invention relates to a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for use by a certificate authority (CA) that issues a public key certificate compatible with a plurality of signature algorithms, whereby entities utilizing such public key certificates are afforded enhanced convenience.
Today, diverse kinds of software data such as game program data, voice data, image data, and word-processing program data (generically called contents) are being exchanged over networks and particularly over the Internet. Electronic commerce is also on the increase, characterized by online shopping outlets and network-based merchandising schemes.
In such a network-based data communication environment, it is customary to ensure data security, i.e., to make sure that the transmitting and receiving sides are a legitimate party to each other before exchanging the necessary data. One representative technique for implementing data security during data transfer involves combining data encryption with signing of data.
Encrypted data are decrypted to plain text data by use of a predetermined procedure. Various methods for encrypting and decrypting information using an encryption key and a decryption key respectively have been known.
One of the diverse methods of data encryption and decryption based on encryption and decryption keys is so-called public key cryptosystem. This system involves a transmitting party having one key and a receiving party possessing another key, one of the keys being used as a public key for use by indefinite users, the other key being kept private. Illustratively, a data encryption key may be used as a public key and a decryption key as a private key. As another alternative, an authentication code generation key may be used as a private key and an authentication code decryption key as a public key.
Compared with so-called common key cryptosystem using a common key in both encryption and decryption, the public key cryptosystem is advantageous in terms of key management in that the private key need only be possessed by one particular person. Because of its lower data processing speed than the common key cryptosystem, the public key cryptosystem is more often utilized in applications involving limited amounts of data such as delivery of private keys and digital signatures. A representative example of the public key cryptosystem is RSA (Rivest-Shamir-Adleman) cryptosystem. The system uses a product of two very large prime numbers (e.g., of 150 digits each), taking advantage of the difficulty in factorizing the product of two large prime numbers into prime factors (and in obtaining the discrete logarithm of the product).
Another representative example of the public key cryptosystem is elliptic curve cryptography (ECC). This scheme capitalizes on the fact that computations can be defined between points on an elliptic curve whereby something similar to a discrete logarithmic problem (elliptic discrete logarithmic problem) can be created.
Whereas the RSA cryptosystem based on the factorization into prime factors is subject to sub-exponential decryption, elliptic discrete logarithmic problems can only be solved by exponential decryption. While the RSA cryptosystem has a key size of 512, 1,024 or 2,048 bits, schemes utilizing elliptic curve cryptography (ECC) such as elliptic curve digital signature algorithm (ECDSA) have a key size of as small as 160, 192 or 224 bits and still ensure the same degree of security as the RSA. Because of its reduced key size, the ECDSA provides a significantly high processing speed.
The public key cryptosystem is structured to offer public keys for use by an indefinite number of people. As such, the system most often utilizes what is known as a public key certificate proving that a distributed public key is valid. For example, suppose that a user A generates a key pair consisting of a public key and a private key and sends the generated public key to a certificate authority. In turn, the certificate authority sends back a public key certificate to the user A. The user A then discloses the public key certificate thus obtained to the public. An indefinite number of users go through a predetermined procedure to acquire the public key from the public key certificate, encrypt documents or other desired data using the acquired public key, and transmit what is encrypted to the user A. The user A decrypts the encrypted documents or data received using the previously generated private key. The user A also attaches signatures to the documents using the private key. The indefinite number of users go through the predetermined procedure to obtain the public key from the public key certificate and have the attached signatures verified.
The public key certificate will now be described by referring to FIG. 1. The public key certificate is a certificate issued by a certificate authority (CA; also called an issuing authority or IA) on public key cryptosystem. When a user submits his ID and a public key to be included into a certificate, the certificate authority completes the certificate by furnishing it with a signature.
A typical public key certificate shown in FIG. 1 includes: a certificate version number; a serial number allocated to a certificate user by a certificate authority (CA); algorithm and parameters used for signature by the RSA, ECDSA, etc.; a certificate authority name; the period of certificate validity; the certificate user's name (user ID); the user's public key; and a digital signature.
The digital signature is generated to attest the whole range of certified items: certificate version number, certificate authority serial number, signature algorithm and parameters, certificate authority name, certificate validity, user ID, and user's public key. Illustratively, a hash value is generated using hash function, and the certificate authority's private key is applied to the hash value to generate the signature.
The certificate authority issues public key certificates such as the one shown in FIG. 1, updates expired public key certificates; and creates, manages and distributes a certificate revocation list that repudiates unscrupulous users. The certificate authority also generates public and private keys as needed.
When utilizing a public key certificate, a user gets a digital signature on his public key certificate verified using a certificate authority's public key in his possession. After the successful verification of the digital signature, the user utilizes the public key by extracting it from the public key certificate. It follows that all users employing public key certificates must have a common public key of the certificate authority.
A data transmission system may include a public key cryptosystem like the above-described scheme using public key certificates issued by the certificate authority. In that setup, the system allows each user to have the digital signature of his public key certificate verified and to extract the public key from the public key certificate after the successful signature verification. The user is then allowed to carry out a certification process based on the public key cryptosystem or to encrypt or decrypt outgoing or incoming data using the cryptosystem. The problem is that end entities such as user devices performing various processes based on the public key cryptosystem are rarely compatible with all of such diverse encryption algorithms as the ECDSA, RSA and others. In most cases, each entity is capable of dealing with only one algorithm (ECDSA algorithm or RSA algorithm in particular).
Such devices each compatible with only a specific encryption algorithm can only be used with public key certificates based on that algorithm alone. Public key certificates signed by use of any other algorithm cannot be verified upon receipt.
One of the challenges to be addressed in establishing a certificate authority (CA) is how to store private keys as signature keys while ensuring security in providing signatures. Another challenge is how to improve the speed of signature computation, which is conducive to boosting system performance of the certificate authority. One way to ensure signature security and boost computing speed is by resorting to dedicated hardware (HSM: hardware security modules) for signature key (private key) storage and signature provision. Highly tamper-resistant, HSMs play a significant role in enhancing the level of security. At present, there are systems utilizing HSMs but none of them is compatible with multiple different signature algorithms. Hence the growing need for the certificate authority (CA) to accommodate a plurality of signature algorithms.
Conventionally, as shown in FIG. 2, an ECDSA end entity (device) 23 (compatible with the ECDSA algorithm) requests an ECDSA registration authority (ECDSA-RA) 22 (performing a signature process based on the ECDSA algorithm) to issue or update a public key certificate. The ECDSA registration authority 22 certifies entities or devices taking part in various services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an ECDSA certificate authority (ECDSA-CA) 21 that performs a signature process based on the ECDSA algorithm. In turn, the ECDSA certificate authority 21 issues public key certificates based on the signature process using the ECDSA algorithm, and distributes the certificates to the ECDSA end entities 23 via the ECDSA registration authority 22.
On the other hand, an RSA end entity (device) 33 (compatible with the RSA algorithm) requests an RSA registration authority (RSA-RA) 32 (performing a signature process by use of the RSA algorithm) to issue or update a public key certificate. The RSA registration authority 32 certifies entities or devices participating in diverse services, receives public key certificate issuance requests from these entities or devices, and forwards the requests to an RSA certificate authority (RSA-CA) 31 that performs a signature process based on the RSA algorithm. In turn, the RSA certificate authority 31 issues public key certificates based on the signature process using the RSA algorithm, and distributes the certificates to the RSA end entities 33 via the RSA registration authority 32.
As described, two (or more) different processing blocks are established to deal with two different signature algorithms. Each processing block constitutes a closed system wherein a public key cryptosystem specific to that block alone is used to effect certification and transmit encrypted data.
The ECDSA end entity 23 is incapable of verifying a public key certificate received from the RSA device 33 with a signature in RSA algorithm. The received public key certificate will not serve as a certificate as long as its validity is not established. Conversely, the RSA end entity 33 cannot verify a public key certificate received from the ECDSA end entity 23 with a signature in ECDSA algorithm; the validity of the public key certificate remains uncertain following its receipt.
If the ECDSA end entity 23 and RSA end entity 33 in FIG. 2 were to verify the validity of a public key certificate coming from the other party, each party must resort to a circuitous validation procedure: the received public key certificates are first transmitted respectively to the ECDSA registration authority 22 and RSA registration authority 32, and forwarded from there to the ECDSA certificate authority 21 and RSA certificate authority 31. The ECDSA certificate authority 21 and RSA certificate authority 31 then exchange queries about the respective certificates. The results of the queries are sent back finally to the respective end entities for certification purposes.
It is therefore an object of the present invention to overcome the above and other deficiencies of the related art, particularly of data communication systems based on the public key cryptosystem dealing with public key certificates, and to provide a public key certificate issuing system, a public key certificate issuing method, a digital certification apparatus, and a program storage medium for allowing a single certificate authority to support a plurality of encryption algorithms and to issue a public key certificate with signatures in different algorithms so that devices each compatible with a particular encryption algorithm alone, such as ECDSA end entities or RSA end entities, may effectively utilize the public key certificate from one another for cross-certification and data communication therebetween.